feat: complete variable management implementation and update documentation

- Update remaining Docker Compose templates with centralized variables
- Fix service tag isolation to deploy individual services only
- Update all README files with variable management architecture
- Document variable hierarchy in DEPLOYMENT_LEARNINGS.md
- Add comprehensive variable usage patterns to CLAUDE.md
- Standardize domain references using {{ subdomains.* }} pattern
- Replace hardcoded network names with {{ docker.network_name }}
- Update hairpinning configuration to use variables

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

roles/docker/templates/appriseapi-compose.yml.j2

@@ -2,7 +2,7 @@ services:
   apprise:
     container_name: apprise
     ports:
-      - 100.70.169.99:8000:8000
+      - {{ network.docker_host_ip }}:8000:8000
     environment:
       - APPRISE_STATEFUL_MODE=simple
       - APPRISE_WORKER_COUNT=1
@@ -14,7 +14,7 @@ services:
     labels:
       glance.name: Apprise
       glance.icon: si:imessage
-      glance.url: https://auth.thesatelliteoflove.com/
+      glance.url: https://{{ subdomains.appriseapi }}/
       glance.description: Apprise api server
       glance.id: apprise
     
@@ -25,4 +25,4 @@ volumes:
 networks:
   default:
     external: true
-    name: lava
+    name: {{ docker.network_name }}

roles/docker/templates/baikal-compose.yml.j2

@@ -8,7 +8,7 @@ services:
     labels:
       glance.name: Baikal
       glance.icon: si:protoncalendar
-      glance.url: https://cal.thesatelliteoflove.com/
+      glance.url: https://{{ subdomains.cal }}/
       glance.description: CalDav server
 
 volumes:
@@ -18,4 +18,4 @@ volumes:
 networks:
   default:
     external: true
-    name: lava
+    name: {{ docker.network_name }}

roles/docker/templates/caddy-compose.yml.j2

@@ -16,11 +16,11 @@ services:
     labels:
       glance.name: Caddy
       glance.icon: si:caddy
-      glance.url: https://thesatelliteoflove.com/
+      glance.url: https://{{ primary_domain }}/
       glance.description: Reverse proxy
     networks:
       default:
-        ipv4_address: 172.20.0.5
+        ipv4_address: {{ docker.hairpin_ip }}
 volumes:
   caddy_data:
   caddy_config:
@@ -28,4 +28,4 @@ volumes:
 networks:
   default:
     external: true
-    name: lava
+    name: {{ docker.network_name }}

roles/docker/templates/codeserver-compose.yml.j2

@@ -5,7 +5,7 @@ services:
     labels:
       glance.name: Code Server
       glance.icon: si:vscodium
-      glance.url: https://code.thesatelliteoflove.com/
+      glance.url: https://{{ subdomains.code }}/
       glance.description: Code Server
     container_name: codeserver
     volumes:
@@ -19,4 +19,4 @@ volumes:
 networks:    
   default:
     external: true
-    name: lava
+    name: {{ docker.network_name }}

roles/docker/templates/conduit-compose.yml.j2

@@ -7,10 +7,10 @@ services:
         labels:
           glance.name: Conduit
           glance.icon: si:matrix
-          glance.url: https://chat.thesatelliteoflove.com/
+          glance.url: https://{{ subdomains.chat }}/
           glance.description: Matrix server
         environment:
-            CONDUIT_SERVER_NAME: chat.thesatelliteoflove.com # EDIT THIS
+            CONDUIT_SERVER_NAME: {{ subdomains.chat }} # EDIT THIS
             CONDUIT_DATABASE_PATH: /var/lib/matrix-conduit/
             CONDUIT_DATABASE_BACKEND: rocksdb
             CONDUIT_PORT: 6167
@@ -43,4 +43,4 @@ volumes:
 networks:
   default:
     external: true
-    name: lava
+    name: {{ docker.network_name }}

roles/docker/templates/hoarder-compose.yml.j2

@@ -10,8 +10,8 @@ services:
     env_file:
       - .env
     extra_hosts:
-      - 'auth.thesatelliteoflove.com:172.20.0.5'
-      - bookmarks.thesatelliteoflove.com:172.20.0.5
+      - '{{ subdomains.auth }}:{{ docker.hairpin_ip }}'
+      - '{{ subdomains.bookmarks }}:{{ docker.hairpin_ip }}'
     environment:
       MEILI_ADDR: http://meilisearch:7700
       DATA_DIR: /data
@@ -19,7 +19,7 @@ services:
     labels:
       glance.name: Karakeep
       glance.icon: si:wikibooks
-      glance.url: https://bookmarks.thesatelliteoflove.com/
+      glance.url: https://{{ subdomains.bookmarks }}/
       glance.description: Bookmark manager
       glance.id: karakeep
   chrome:
@@ -53,4 +53,4 @@ volumes:
 networks:
   default:
     external: true
-    name: lava
+    name: {{ docker.network_name }}

roles/docker/templates/paperlessngx-compose.yml.j2

@@ -14,7 +14,7 @@ services:
     labels:
       glance.name: Paperless NGX
       glance.icon: si:paperlessngx
-      glance.url: https://papers.thesatelliteoflove.com/
+      glance.url: https://{{ subdomains.paper }}/
       glance.description: Document server
       glance.id: paperlessngx
     depends_on:
@@ -28,7 +28,7 @@ services:
       - ./consume:/usr/src/paperless/consume
     env_file: docker-compose.env
     extra_hosts:
-      - 'auth.thesatelliteoflove.com:172.20.0.5'
+      - '{{ subdomains.auth }}:{{ docker.hairpin_ip }}'
     environment:
       PAPERLESS_REDIS: redis://broker:6379
       PAPERLESS_TIKA_ENABLED: 1
@@ -65,4 +65,4 @@ volumes:
 networks:
   default:
     external: true
-    name: lava
+    name: {{ docker.network_name }}

roles/docker/templates/paperlessngx.env.j2

@@ -24,7 +24,7 @@
 
 # This is required if you will be exposing Paperless-ngx on a public domain
 # (if doing so please consider security measures such as reverse proxy)
-PAPERLESS_URL=https://{{ subdomains.papers }}
+PAPERLESS_URL=https://{{ subdomains.paper }}
 
 # Adjust this key if you plan to make paperless available publicly. It should
 # be a very long sequence of random characters. You don't need to remember it.

roles/docker/templates/pingvin-compose.yml.j2

@@ -5,11 +5,11 @@ services:
     environment:
       - TRUST_PROXY=true
     extra_hosts:
-      - 'auth.thesatelliteoflove.com:172.20.0.5'
+      - '{{ subdomains.auth }}:{{ docker.hairpin_ip }}'
     labels:
       glance.name: Pingvin
       glance.icon: si:files
-      glance.url: http://netcup.porgy-porgy.ts.net:8945
+      glance.url: https://{{ subdomains.files }}
       glance.description: File sharing service
       glance.id: pingvin
     volumes:
@@ -21,4 +21,4 @@ volumes:
 networks:
   default:
     external: true
-    name: lava
+    name: {{ docker.network_name }}

roles/docker/templates/postiz-compose.yml.j2

@@ -5,9 +5,9 @@ services:
     restart: always
     environment:
       # You must change these. Replace `postiz.your-server.com` with your DNS name - what your web browser sees.
-      MAIN_URL: "https://post.thesatelliteoflove.com"
-      FRONTEND_URL: "https://post.thesatelliteoflove.com"
-      NEXT_PUBLIC_BACKEND_URL: "https://post.thesatelliteoflove.com/api"
+      MAIN_URL: "https://{{ subdomains.post }}"
+      FRONTEND_URL: "https://{{ subdomains.post }}"
+      NEXT_PUBLIC_BACKEND_URL: "https://{{ subdomains.post }}/api"
       JWT_SECRET: "TShr6Fdcwf67wIhuUvg0gOsJbdcQmgMiJl5kUh6JCfY="
  
       # These defaults are probably fine, but if you change your user/password, update it in the
@@ -24,7 +24,7 @@ services:
 
       # Social keys
       LINKEDIN_CLIENT_ID: "86q7ksc8q5pai3"
-      LINKEDIN_CLIENT_SECRET: {{ linkedin_secret }}
+      LINKEDIN_CLIENT_SECRET: {{ vault_postiz.linkedin_secret }}
     volumes:
       - postiz-config:/config/
       - postiz-uploads:/uploads/
@@ -35,7 +35,7 @@ services:
         condition: service_healthy
     labels:
       glance.name: Postiz
-      glance.url: https://post.thesatelliteoflove.com/
+      glance.url: https://{{ subdomains.post }}/
       glance.description: Social media scheduler
       glance.id: postiz
  
@@ -90,4 +90,4 @@ volumes:
 networks:
   default:
     external: true
-    name: lava
+    name: {{ docker.network_name }}